In a significant breakthrough against one of the most damaging ransomware groups in recent history, a 33-year-old man believed to be responsible for gaining initial access for Ryuk ransomware attacks has been extradited to the United States from Ukraine.
The extradition comes after a coordinated international law enforcement effort that began in 2023 and has already led to the dismantling of cybercriminals linked to multiple ransomware families, including LockerGoga, MegaCortex, Hive, and Dharma.
Arrest in Kyiv and FBI Involvement
The suspect was arrested in April 2025 at his residence in Kyiv, following a joint investigation by the FBI, Ukraine’s Cyber Police, and the National Police. Ukrainian authorities formally handed him over to the United States on June 18 after confirming his role in the Ryuk operation.
According to the official statement:
“Through the analysis of the information obtained as a result of the investigative actions, it was possible to additionally identify a 33-year-old member of the group who was engaged in searching for vulnerabilities in the corporate networks of the victim companies.”
Once access was gained, the stolen credentials and vulnerabilities were passed to other Ryuk members, who then exfiltrated data and deployed ransomware payloads.
Targeting Global Enterprises Across Multiple Sectors
The Ryuk ransomware group operated at scale between 2018 and mid-2020. It targeted major organizations across the United States, Canada, France, Germany, the Netherlands, and Norway, with a heavy emphasis on high-value sectors such as healthcare—especially during the height of the COVID-19 crisis.
Security researchers have traced Ryuk’s ransom earnings to over $150 million, making it one of the most financially successful ransomware operations of its time.
The FBI had previously placed the arrested individual on an international wanted list, charging him with multiple offenses tied to his role in breaching corporate networks.
Ryuk’s Evolution and Link to Conti
After its peak in 2020, Ryuk underwent a major transformation and rebranded as the Conti ransomware operation. Conti quickly became one of the most prolific ransomware gangs, known for its double extortion tactics—stealing data before encrypting systems and demanding payment for both recovery and data deletion.
Conti shut down operations in 2022, but its members did not disappear. Instead, they splintered into several smaller ransomware groups that continue to operate under new names, keeping Ryuk’s legacy alive in different forms.
A Broader Crackdown on Initial Access Brokers
The arrested Ryuk member specialized in the earliest stage of the ransomware kill chain—initial access. These are individuals who focus on breaching company networks through phishing, credential stuffing, and vulnerability exploitation. Their role is critical, as they sell or pass on access to more specialized threat actors.
This arrest underscores the growing focus by law enforcement agencies on disrupting the ransomware ecosystem at every level, especially by going after the brokers and enablers behind the scenes.
Looking for a trusted recovery solution?
Defend your organization with StoneFly DR365—an air-gapped, immutable backup and recovery appliance trusted by enterprises to ensure zero data loss even in the event of complex cyberattacks.
